Scan of the Month 27 Analysis

The Honeynet Project Scan of the Month
Analysis performed by Anders Amandusson
<anders dot amandusson at sca dot com >
April 24th 2003

Mission

The Challenge:
In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot
having a null (blank) administrative password.
During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting
several distinct vulnerabilities. Subsequent to a succesful attack, the honeypot was joined to a large botnet.
During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet.
The challenge is based on logs from five days of honeypot operation, collected using Snort.
The logs have been edited to remove irrelevant traffic and combined into a single file.
Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is
not readily apparent. Your mission is to analyze the log file in order to answer the questions below.

Summery

The server was among other thing targetet by the W32/Deloder worm that also dropped the ircbot on the server. The ircbot tried to connect to 5 different IRC servers until it was accepted by the 5th.
One attack used the same flaw as the Deloder worm uses (testing Administrator passwords on TCP 445 (Windows 2000 SMB over TCP instead of NetBIOS)) and uploaded a remote admin tool (remote Administrator Server v2.1).
Frequent but not successful attempts were made by the SQLsnake and W32.SQLExp worms. A massive web vulnerability scan was performed after a port scan.
There were a couple of other tools (forensic acquisition utilities-1.0.0.1030(beta1), ZipCentral and fport) downloaded via http but since there were no other communication to the server the previous 2 ½ hours before the download I assumed they were fetched by an administrator.

Tools used

Ethereal 0.8.20
Snort 1.9.0

Answers

Even though I consider myself a beginner in the forensics area I will try to answer the intermediate questions as well.

What is a botnet?

A bot is a scripted IRC "user". It is used to manage access lists, run quizzes or serve files in the channels.
They are automated and controlled by events (usually commands given in a channel).
A botnet on the other hand is something different.
It could be described as a channel full of bots, most of them unaware of their presence because of an infection by a Trojan horse.
It could have been distributed to the client PC wrapped in another file and run whenever that file is executed, send as an attachment, downloaded from a website or like in this case, delivered by a worm. A botmaster (could be called a botnet administrator) is handling the channels giving commands to the infected clients.

What are botnets commonly used for?

It can be used (and are used) for launching Denial of Service attacks. As a botnet can consist of 1000-nds of infected bots, this will be a very effective DDoS Attack.
The botmaster can use channel commands to make the bots spam other channels with a website that has the Trojan on it to make even more bots.
He/she could also be able to launch attacks against other channels, or get the bots to send him the nickname passwords.

What TCP ports does IRC generally use?

6667

What is a binary log file and how is one created?

The binary log file is generated by a packet logger, for example snort or tcpdump (or windump).
Digital data communication is a stream of binary digits, it would be best to keep the logged
communication in the same format.
That is, the log file is just an exact copy of what the communication looked like when it passed. This way nothing is lost.
To analyze the binary log file a tool is used to translate the binary data to something readable for humans (for example Ethereal or snort).

What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?

209.126.161.29

Owned by California Regional Internet, Inc

66.33.65.58

ns.espaciosweb.net

63.241.174.144

irc4.aol.com

217.199.175.10

ns2.caralarmuk.com

209.196.44.172

ipdwbc0271atl2.public.registredsite.com

Here’s a screenshot showing the connections in the logfile.

During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

When the honeynet server connected, the IRC server claimed there were 4752 Global users (max 4765). But it also said there were 346 connected local users (of 348 possible slots).

But the Challenge stated:"During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet"

I'm using snort to extract a readable part of the logfile to see the IRC parts.

03/05-07:21:09.173460 172.16.134.191:1041 -> 207.68.176.250:80.
Someone is looking for users.erol.com/gmgarner/forensics, this was a misspelling.
It should be users.erols.com, which brings the user to www.rcn.com (telecommunication provider). This site is accessed 17 seconds later and someone is looking at rcn availability. But this was probably not what he/she was after, because of the next item.

Access from 210.22.204.101 to 172.16.134.191 on port 4899 (radmin) was conducted until 03/05-04:48:22.370000 210.22.204.101:3313 -> 172.16.134.191:4899.
Between this event and the software downloads above there were only one sunrpc probe and 3 W32.SQLExp.Worm probes.
As there are no other communication to 172.16.134.191 for 2 ½ hours before the downloads, my guess would be that it was a valid administrator who downloaded these tools.

03/06-05:38:29.840686 61.111.101.78:1697 -> 172.16.134.191:445.
The last packet of the W32/Deloder-A worm has arrived.
The first try to connect to an IRC server was made 6min and 50sec later.
03/06-05:45:19.604225 172.16.134.191:1129 -> 66.33.65.58:6667.
This is not so surprising as the W32/Deloder-A worm is supposed to drop an ircbot (Worm description).
It's just another proof that it is the Deloder worm.

What vulnerabilities did attackers attempt to exploit?

There were a lot of attempt on the web server from 24.197.194.106. It was trying to use installed scripts, dll's and executables (default IIS scripts, frontpage extensions ...) to reach \winnt\system32\cmd.exe and \winnt\repair\sam. A not identified tool was used for this attack.

General Questions (not judged)

What did you learn about analysis as a result of studying this scan?

I think that I have leared something more about network comminications but also a better knowledge of how to read the log files.
I can handle the tools (ethereal and snort) better, even though I still have very much to learn.
I would like to think that I have increased my ability in putting things together to drawing conclusions (but I still need much more experience in this area and hopefully I’m not completely wrong).

How do you anticipate being able to apply your new knowledge and skills?

The most obvious situation would be to apply this knowledge whenever investigating incidents of our own. I also think that I would be able to use this skill and knowledge in my day-to-day work, as I don’t think that there is such a thing as unnecessary knowledge (There might be things you don’t want to know, but that’s a different thing).

How can we improve the SotM challenge? What would you like to see added? What would you like to see done differently?

I like the mix between beginners and advanced level of the challenges. That way experienced people might find some challenges interesting and beginners like me can also increase our experience both by solving easier challenges as well as reading the reports of the more advanced challenges. I haven't been participating long enough to name anything I would like to see different yet.